Southeast Asia’s leading eCommerce platform Lazada has concluded its latest live bug bounty with YesWeHack, a leading global Bug Bounty and Vulnerability Disclosure Policy (VDP) Platform. The two-day live bug bounty program, which was held at the Hack In The Box Security Conference (HITBSecCONF 2022), resulted in 115 vulnerability reports being submitted by the several dozen researchers present at the event, including some of the best security researchers in the world.
After running a successful two-year Bug Bounty program with YesWeHack, Lazada scaled the program to the next level this year during the HITBSecCONF 2022. The event allowed Lazada to test their applications over the given period of time while being able to meet with researchers to exchange discoveries—thus giving Lazada deep and exclusive insights into the vulnerabilities found.
Lazada wanted to use this live event as an opportunity to achieve in-depth security. To enable this, the company voluntarily disabled a number of security mechanisms for participating researchers and only for the period of the event, allowing them to extensively test the systems and applications. For instance, researchers were able to bypass Web Application Firewalls (WAF) throughout the length of the event—allowing them to hack into the eCommerce platform’s sites and services directly. Lazada had chosen to disable WAFs for the hunters, due to the fact that while they are able to block most of the attacks, they are not infallible. In addition to WAFs, Lazada also disabled other security solutions that are typically used as the first line of defense, so as to offer hackers the chance to test their application in greater depth.
“Accomplishing a live program on this scale demonstrates Lazada’s commitment to security and progressive stance towards bug bounties. By engaging with the broader community, the eCommerce giant is placing an unprecedented level of trust in ethical hackers to better strengthen their security, transparency, as well as data privacy and protection. We are delighted to be able to contribute to yet another successful collaboration with Lazada,” said Kevin Gallerin, CEO APAC, YesWeHack.
“Securing customer’s data and protecting it from any future incidences is of highest importance at Lazada. Having some of the best security researchers in the world in the same room as us is an exceptional opportunity to learn and exchange—especially for our red team, who mounts deliberate attacks on our systems daily to identify and fix vulnerabilities,” said Bruno Demarche, who leads the Red Team & Security Testing Team at Lazada Group.
“The live bug bounty program was a rewarding experience for Lazada and YesWeHack alike. The teams have been able to uncover quality results, which has already given us ideas on how we can improve our internal testing processes for our application and services to ultimately better safeguard Lazada’s customers and partners,” said Yuezhong Bao, Head of Cybersecurity, Lazada Group.
Lazada’s partnership with YesWeHack began in January 2020 with a successful 18-month private bug bounty program. The partners then continued to expand the scopes of their collaboration, and Lazada opened its program to the public in 2021, with rewards of up to US$10,000 per bounty. Since then, the company has been working with over 45,000 ethical hackers to detect flaws within their application and systems to achieve maximum security and protection over their platforms.
The collaboration with Lazada has also allowed YesWeHack to further advance its community of cybersecurity experts and position the company as the leading player of bug bounties in Asia Pacific. Since 2019, YesWeHack has served more than 60 clients from its Asia Pacific headquarters in Singapore, including large BFSIs, tech unicorns and government bodies. With a growing market demand being seen for the crowdsourced security model, 40 percent of YesWeHack’s security researchers are based out of Asia, with 30 percent of its clientele coming from Australia, China, Indonesia, Malaysia, and Singapore.